Rusting control against cyber war?

Concepts for the occlusion of cyber wars are available — aming the political will is available

For it security, the end of 2009 was waited for surprises: one of the most important commercial representatives of the it security industry demands an open debate on the dangers of cyber wars, while the us and russia spells on cyber root control. Sabotage campaigns in cyberspace have become so dary of many actors that acting is notative.

Mcafee, according to its own "worldwide it security company", yields all yearly "virtual criminology report" out. In 2009, this report did not work for the first time with general it security ies and their criminal causes, but with government agencies and threats "as good as invited" cyber war.

At 13th. December 2009, the new york times reported that the us has recorded negotiations with russia to one "improvement of internet security and limitation of the military use of the internet" to reach. Further conversations are scheduled in new york and garmisch-partenkirchen. The existence of this speech alone represents a significant departure from a year-long defense against the us against negotiations on this topic. Not quite as surprising was that it was essentially reported on differences that only hope for limited progress.

Cyber war lead was a popular terror scenario for many years, which became more obvious, the more intense one deals with it. Meanwhile, there are enough examples of cyber war actions to make a company like mcafee on the side of serious mahner and usa and russia to the negotiating table.

1. From hype to serious threat: the economy makes mobile

Anyone who wants to influence political conflicts with modern technical means today access to manipulation of it systems. The climate summit in copenhagen was only one last example in 2009. In autumn, the attacks on the servers of the most important climate research institutes. On the 17th. November 2009, just in time for the climate summit, were emails from climate researchers "anonymous internet servers in russia" the press used to sabotage the climate debate with falsification against scientists after kraften — an action as out of the textbook for information warfare.

A few weeks before, in august 2009, published the private u.S. Cyber consequences unit (u.S. Ccu) a detailed investigation of cyber war guide in the war between georgia and russia in august 2008. The most important result of the detailed investigation was that an analysis of it security fees today is very similarly possible in a very similar manner as an investigation of the exclusive and the course of a conventional conflict through producing militar observer. The u.S. Ccu took the fact that the attackers in cyberspace civilians have been without direct participation of russian authorities or militars, which were informed in advance about russian militar actions.

If professionally and hard-driven cyber militia is now given to normal condition in the environment of important conflicts, so the more urgent the question arises what is done against cyber warring.

Right at the beginning of the "virtual criminology report 2009" provides dave dewalt, ceo of mcafee, that it does not go about a new hype or other hits. It goes instead that the largely behind-locked deals will discuss the discussion about cyber warring, which would have serious consequences for the general public, also discussing in the openness.

This is formulated diplomatically. The real message of the report is unmistakable: mcafee has previously set itself as an it security company for its own economic benefit so far with the technically interested hacker offspring and the organized cybercriminals. This excery business basis is fundamentally changed by cyber’s military.

Because in the league of cyber warriors, state actors play that can use important emergents such as time, money, it resources and criminal energy for manipulation of computers and networks as needed. Their single real border is the availability of well-qualified personnel and its ingenuity.

Mcafee obviously realized that there is no company in the world against this class of actors, to provide it security for its customers. Therefore, mcafee now demands an open debate on the status quo and the other goals. Openness is a good start, but it is not a solution. The debate about cyber warring will soon shock itself without concrete ideas for the solution of the problems soon.

When taking the problem seriously, one comes to the solution against cyber war management on the only available solution approach: cyber rust control. And that does not just pray the abstract logic, as the negotiations of russia and the us show.

2.Cyber rusting control: a negligible area

The idea of cyber rusts will be absurd for many at first glance. It is by no means at no attention. There are even decades of experience with very special forms of cyber root control, from which important conclusions could be drawn, if one wanted to pursue this politically seriously.

Cyber root control in the comprehensive sense has been done little. 1995 love of the subcommittee "rusting and rust control" of the german bundestag a first study on conventional and praventive rusts of it general and from cyber’s military management in particular by the buro for techniksolgen restrict at the german bundestag (tab) commission and develop.2 especially for cyber war driving have since then made academic considerations to various questions of international law of the u.S. National defense university and in addition to the rusts of the research group information society and security policy (information warfare: the new challenge for the rust control). The first approach developed for the tab "computer science for abruming and rusts" were taken up again in the context of the "master of peace studies" at the fernuni hagen3.

Politically, the topic in germany is currently represented as one of the tasks of the adment offer, where in the unit 241 in addition to conventional rusts also the "praventive rust control to new threats (u.A. Information war guide)" is edited.

But neither the conceptual level nor the political objectives and their prioritat still operational ies of verification are previously examined in a satisfactory scope. For this reason, the terminations do not play an essential role for the time being: cyber rusts and agreements on cyber militia will be a mixture of various ingredients, which both the security of it systems and the internet strong, the use of certain systems as well as the development and dissemination regulate from certain tools. What here below the term "cyber rusting control" in summary, therefore, describes a concept of art for very heterogeneous aspects of it security. Today, the realitat requires new remarks as well as the jerk handle on usable known approaches.

3.What’s about: it weapons and it rusting control, not information technology in general

The key point of most work so far was the question: what is cyber’s warring and how to limit themselves legally? At best in bauratzen, it was discussed about which possibilities to restrict the opposite or in the foreseeable future and how international regulations could look concretely. The spectrum of possibilities from the overall matter — for example, based on the geneva convention — to regulate military actions and the protection of civil avenue before the consequences of cyber militia carrying over the monitoring of rust efforts to the — even for conventional weapons. Questions of praventive rusting control.

A realistic approach had to be tailored to which role models from the existing legal framework are derivable or transferable and which measures can be verified. The result of a consideration for limiting cyber’s military management was allowed to consist of a specific mix of these different levels in order to contribute to a verifiable manner to a limitation of cyber military.

The first question is, in which contractual role models the political objectives of an agreement should be oriented to regulate military acts of cyber militia.

The smallest common denominator forms the geneva convention of 1949. There is the totung of civilians and attacks on "civilian" forbidden. The additional protocol of 1977 expanded the protection strongly and now also regulates methods of war carrying, the attacks on civil avocculation, as well as attacks on civiline objects, dangerous facilities and "for the civil avenue of vital objects" to forbid. Anyone who then makes a hydrocaria functionally unable through military cyber war actions or brings a chemical system to the havarie, was already allowed to violate the geneva convention. Such a contractually agreed basis will already be used as a starting point for a concretion of cyber warmanship and other political initiatives.

The second question is the relevant technologies. In the case of previous rusts of the rule, it was above all attempted to prevent the production of weapons of mass destruction, the distribution of relevant technologies and those of rapid support systems — especially missiles -. In nuclear weapons, specific technologies and cleavable material are subject to an international control regime. Nuclear weapon tests are now prohibited and are subject to an international verification regime. In the control of organic and chemical weapons, it succeeded in addition to the toxic agents themselves even pre-products, operations and facilities for the production of shaped substances and graded in a rust control regime to take into account.

In order to adapt these and similar established procedures and collections, cyberwar actions and technologies were to be defined for international collections and for root control purposes and to delinose civilian technologies. In addition, verification measures are to be developed, which are specific enough to be effective for clearly focused purposes.

Such has not been developed so far. This is so remarkable than there is now a colorful mix of military definitions of the purposes of cyberwar. Result of this conceptual deficiency is that the first objection to any type of cyber root control is made, it is generally simply not controllable. Technical progress is too fast, the development options and distribution via the internet unlimited and the control therefore absolutely operable. On it and software development in full and generally sourced, maybe that is correct. But the technology in their full width is not all about.

What it can happen shows a jerk handle on a very old example. At the time of the cold war, the western economy nations tried to make access to specific high-tech products as much as possible as much as possible. At the beginning of 1950, that took "coordination committee for multi-page export controls" — short cocom — in paris his work on. The states of nato and other funded persons agreed there their laws on technology exports to certain states. Pioneering were the usa, which set up computer software for the first time in 1979 for the first time on a continuously updated list of products, their exports to the national "u.S. Export administration act" was inadequate.

The u.S. Export administration act and cocom have long been highly controversial, especially after 1979 were banned in addition to the export of interconnection software — and the records of knowledge of it — in the usa. As a result, in 1983, the export of unix operating systems from the us into the federal republic was temporarily in 1983, because the operating system contained closure algorithms.4

Cocom not only has been pursued military goals, but unilaterally and again economic interests. The export of information technology was never completely prevented in this way. Various gross it companies, including too ibm5, were sentenced over the years to high bubbles because of the break of the embargo regulations. However, the illegalitat of the embargomandel pushed the costs strongly up and dear the available offer clearly shrink.

Many of the superior regulations ended with the cold war. But even after the end of cocom 1994, the idea of the control of rustic exports was further. According to the wassenaar agreement on rusts and good with civil and military usability (dual-use-good), which has also joined russia, it will continue to coordinate which militarically relevant good to certain countries are not delivered. Today it is primarily about weapons and nuclear technology, but for example, the prohibition of supply of supercomputers and software for the simulation of passes, which are crucial for the construction of mass destruction weapons.

Cocom and the export control, which was up to date, have led to significant problems — especially if the export controls were expanded for general political purposes and not primar security policy objectives. It is crucial, however, that with cocom and today with the wassenaar agreement, it is well probably possible for it and software to find an internationally consensus definition of concrete high technology, which has great importance for concrete dangers and also the dissemination of such a defined technology also greatly control.

Rusting control in the high-technologies sector is clearly not adequately and differentiated enough for the requirements of cyber root control. However, it exists a conceptually understood and long-proven basis, which could be developed from a new procedure feasible into practice. But it was necessary for further starting points.

4.How to support rust control goods: find definitions and recording distribution channels

The control of the spread of technology is then particularly difficult if it is intangible good. Security policy for cyber military driving relevant it security technology is in principle definitely tangible and technologically also delimited by civilian benefit events. For a cyber rust control, there are three types of tools that can be narrowed quite well:

  1. For some forms of software for cyber military management, it is valid as special software for it security of commercial providers is distributed regularly in a controllable way. Such software is therefore subject to the same controllable sales conditions as good, which have been regulated in the export control regimes for years.
  2. The opposite of the commercial commercial sales and its control are numerous "hacker tools" dar. Much of this is freely available on the internet and thus basically uncontrollable — and this is made of good reasons, since with you it security swagen can be spurted from general meaning. The occasion of such tools is not worthy if their use leads to the publication of security and for the development of security patches and hopefully ultimately demands the improvement of the quality of software. For all problems, the end result of this race is between "hack" and software developers a high it security in general, free and openly available level. This openness is crucial because a one-sided security policy effective advantage for cyber military fuses from this race is not to be pulled as long as the technical development and communication on it security swallow free and for everyone is comprehensible.
  3. Technologies, knowledge and skills to it security deficits, which bring only one side to advantages or are not openly discussed. In the organizations of botnet operators, spammers and providers of other uses of malicious software, this is visible in the offers to offer or rely on the software packages according to different business models as a service. The business base for this action is your control over the spread of malicious software and their effect. The same applies in principle if cyber war management is to be used: a predictable effect mainly achieves attacks on unknown it security and actions beyond the generally discussed it security situation.

This third form of software is difficult to control in its dissemination, but only identify in its effects: infected computers, firewall reports, data connections with unknown destination. Such analyzes are the classic task of it security specialists in companies and some specific agencies — typically the computer emergency response teams (certs) in a private and public hand, which share many of their insights and partly act together.

These competences are also indispensable in a cyber root control. The informal exchange is at least an essential basis for the coordinated reaction of civilian actors on threats of it security. Your contribution had to be the identification of the attack paths and procedures to also put cyber warriors. Although cooperation, for example, in "german cert-verbund" improved, the verification of cyber root control could continue where these security specialists are already trying to recognize distributed attackers, analyze their actions and localize their origin. Especially the cooperation of civilian and government agencies could help to receive an open discussion about threat analyzes.

For a transfer of this work into security-political verification regimes, the reliability of the valuation of high importance is. Especially the already cited investigation of cyber activities in conflict between georgia and russia in august 2008 by the private u.S. Cyber consequences unit (u.S. Ccu) in 2009 showed that private organizations also have an effective instrumentation for the pursuit of cyber attacks, which also provides an analysis and evaluation of actions as well as the allocation of intimate attackers pursued with police resources. Could become. Improved international cooperation between certs and other expert it security facilities in the private and public sector has been a significant progress in monitoring compliance with international incomes. Such a cooperation was the same political approach as the establishment of verification centers in various international inconsistencies.

5.Cyber arms control concretely: mabstabe for the political will

With the further development of proven means of an international control regime and the expansion of analysis facilities for it security, such as the certs and its cooperation, essential foundations were quickly created for international it security.

Further, but undoubtedly possible improvements are easily designated: more experts, better and more specific tools such as forensic analysis tools and communicating network monitors for anomalizing recognition without interventions in privacy as well as clear cooperation relationships between individual institutions were able to progress in a short time for the it reliability generally and also for a cyber root control.

It is also not difficult to define priority political objectives for the definition of inadmissive military actions according to a possible cyber rusts of the cyber: a transfer of striking war law in the digital space and thus the protection of critical civil infrastructures and private it. This is also the unanimous result as well as all those who have been scientifically cultivated with this question.

And should prepare for all kinds of materials conceptual problems, for example transferring the protection of hospitalists from militar actions to the digital world, so love to realize as a simplest technical answer to this problem quickly, computer networks of hospitals through unambiguous signatures of their firewalls as such — analogous to the flag of the red cross in the real world — to identify the geneva convention and to protect against attacks.

And to immediately remove the next misunderstanding: the geneva convention does not prevent the break of its rules — such as the attack on a hospital — but should scare before, because an attack as a unlawful action can also be punished in the war before a respective court. Precisely because this concrete example is so easy, at such a mab is considered that many solutions for a contractual catch of cyber rust control were quite feasible with today’s technology and legal regulation. For many of the still open questions, a concrete research agenda will define itself and name goals for international appointment.

So there are very concrete solutions, if it is a political initiative and the interest that — even thanks to up-to-date contributions like that of mcafee — slowly conscious of consciousness to solve problems.

6.If usa and russia are active, there will be cyber rust control — or there are other ways?

The fact that the us and russia currently entertain about an agreement to enlarge cyber war guide is a striking new development, albeit with ramped chances of success. However, the prospects for a cyber root control should be measured at the bar, which was launched for previously completed international appointment. Thus, the nuclear absorption is far more important for the survival of humanity than a functioning it. As a step to the incident since the 1950s, a nuclear test stop has been compressed politically heib. Although the then soviet union and the united states were contractually agreed in 1963 at the end of the oberground test, the conclusion of a complete nuclear test stop agreement, the comprehensive nuclear test ban treaty (ctbt), lasted until 1996. The us has not ratified the contract until today.

The verification of nuclear bombest tests was considered crucial for the signing of the contract. For the scientific feasibility of a monitoring of nuclear tests, long and bitter was argued6, not least in the intention of reinforcing an agreement after possibility7. It was politically questioned whether scientists are able to detect nuclear weapon tests through seismic quantities. Was asserted that on-site checks were necessary for final clarification, although in 1970, as early as 1970, the ministry of defense in habits before the congress had arisen that they do not provide data that have not already been collected by other procedures. Not the technology, but the political will was the problem, says jack everden in the bulletin of the atomic scientist8:

There is no technical obstacle for the negotiation of a verifiable atomic testist contract. But the implementation of a rational solution to a political problem is far more difficult than it is to find this solution itself.

Jack everden

Only the initiative of numerous independent scientists and their evidence of feasibility through their self-organized networking of seismic measuring points laid the scientific basis for the ctbt and the structure of the ctbt organization in vienna (ctbto) for monitoring the nuclear test stop. The still under construction ctbto has a network of measuring stations with which nuclear tests are globally exposed and localized worldwide. The ctbto network shows the success of a civilian scientific initiative, but at the same time the limits of the evaluation of available data and news sources: without a minimum of resources and thus, for example, preparation for a crisis pravention, no security policy can be achieved.

For contracts to limit the use of cyber weapons, a significant doctrine can be drawn from the previous contracts: all previously completed collection of rusts document the principal indignation of the stakeholders to submit their political and military action to an international control regime. Relatively simple it was still to establish unilateral control measures such as cocom and other export control measures. If the consequences of international agreements, but consult their own actions, were negotiating successes at best after a long time and to achieve a long time. The question of a rusts of cyber’s military driving is therefore one of the address of governments, which are also preparing for cyber attacks by third parties as well as on their own use of novel "cyber weapons". These are now in addition to the us russia, china and a series of individual hosts.

The experience of the last 60 years shows that the interest of potential users of comparable attack weapons at rusts control agreements is low. The current talks between the us and russia about a strong cyber security alone document alone a new and more realistic assessment of threat scenarios by the usa that threatens to be acute by cyber attacks against high technology nations and can achieve the significant damage effect.

The it and the internet but also offer new ways, solving approaches against the accompanying political actors: the example of the complete nuclear test stop agreement showed that the cooperation and networking of results of responsible scientists brought politics in zugzwang. Against political interests, they have posted the arguments against a contract and — with political support of individuals — proved that a verification is possible. Important forms of cyber root control were also carried out by the cooperation of many — private and state — facilities. The way there was much stronger than in previous technologies without reluctant state actors possible, as long as the interest in a civilian side of reliable it security is coarse enough with a relevant it security.

Of the "virtual criminology report 2009" names state cyber warriors as very real risks for the it security of civil society. Consistently intended, this should be a first step on the way to achieve a cyber root control after mabs of civil society.